Yes, Hackers Could Build an iPhone Botnet—Thanks to Windows

Ariel Zambelich/WIRED

A reminder to Apple and smug iPhone owners: Just because iOS has never been the victim of a widespread malware outbreak doesn’t mean mass iPhone hacking isn’t still possible. Now one group of security researchers plans to show how to enslave an entire botnet of Apple gadgets through a perennial weak point—their connection to vulnerable Windows PCs.

In a study they will reveal next week, Georgia Tech researchers have assembled the pieces needed to build a fully-controlled collection of hacked iOS devices despite Apple’s airtight restrictions on software installed on iPhones and iPads. The researchers haven’t just created a full, working exploit for the mobile operating system. They’ve also identified a large slice of malware-infected Windows machines—around 23 percent of those they tested—that regularly connect to iOS devices and could easily be used to deliver the attack. And they say that blueprint for an iPhone botnet should serve as a warning to Apple that despite its devices’ vaunted security, it could do much more to fix iOS’s hackable vulnerabilities faster.

“Many people believe large-scale infections of iOS devices aren’t possible. We want to show that’s not true,” says Tielei Wang, one of three researchers who will present the research at the Black Hat security conference next week and at the Usenix security conference later this month. “iOS itself is very secure. But if you consider the whole ecosystem, you can see that PCs play an important role, and they’re very likely to be compromised. That leaves the iPhone in an insecure state too.”

Apple is as much to blame as Microsoft. The researchers built their attack largely from bugs Apple has long been aware of but neglected to fix. Most of the vulnerabilities they used came from a “jailbreak” exploit known as “evasi0n” that hackers published in December to let iOS users circumvent Apple’s software restrictions. When Apple released iOS version 7.1 four months later, the Georgia Tech researchers say, the company fixed just three of the eight vulnerabilities the jailbreak had linked together. The remaining bugs that Apple failed to patch, along with two new vulnerabilities the researchers discovered themselves, allowed the Georgia Tech team to reassemble a full iOS exploit that would give a hacker complete control of the phone. The same jailbreak vulnerabilities that let users install unauthorized software, after all, can also allow an attacker to install malicious programs.

The researchers say their attack shows Apple could do more to fix known vulnerabilities.

“For some seemingly trivial bugs, Apple doesn’t seem to care very much. But from the attacker’s point of view, these ‘trivial bugs’ can add up to very important attacks,” says Wang. “We want to show that vendors need to be very careful about their vulnerabilities and fix them all.”

The Georgia Tech researchers say they warned Apple about their exploit more than three months ago, but the company still hasn’t patched the bugs they used. Even so, they don’t plan to release the code for their iOS exploit at Black Hat because doing so would violate university policies. But they will describe the attack in some detail, both at Black Hat and in their Usenix paper. “There will be no code,” says Georgia Tech’s Yeongjin Jang. “But if some of the other developers understand our talk, they could reproduce the work.”

An Apple spokeswoman told WIRED the company works “tirelessly” to ensure the security of its hardware and software, and promised new security fixes soon. “We appreciate the information Georgia Tech provided to us and have fixes in an upcoming software update that address the issues they shared,” she wrote in a followup statement.

The main limitation to the researchers’ work, which most likely convinced Apple not to rush out a fix, is that the exploit is “tethered.” Like the evasi0n jailbreak it’s largely based on, an iPhone or iPad initially would need to be plugged into a computer for the hack to work. That’s a minor inconvenience for users seeking to jailbreak their iPhones, but it presents a more serious barrier to hackers hoping to use it for malicious ends.

Georgia Tech’s hackers weren’t deterred. They set out to show just how many iOS devices are ripe for exploitation via USB connections to Windows machines. Borrowing data from the botnet analysis firm Damballa, they analyzed the anonymized DNS queries of half a million malware-infected Windows PCs from two Internet providers in 13 US cities. Those DNS requests—the Internet equivalent of a phonebook lookup—showed them when one of those infected computers connected to Apple’s App Store via iTunes. They assumed any Windows user downloading Apple’s apps must be planning to connect their iPad or iPhone sooner or later. And it would only take a one-time USB connection to a hacker-controlled PC to implement the sort of tethered exploit the Georgia Tech researchers developed. “If you connect to any of those compromised computers, it becomes a jumping off point to deliver the exploit to your phone,” explains Jang.

With that analysis, the Georgia Tech researchers counted 112,233 iOS-connected PCs spread across 10 botnets tracked by Damballa. But given that each of those Windows computers could likely connect to multiple iPhones and iPads—and that the researchers tracked only a small subset of known botnets—they say that count is most likely just a fraction of the total number of vulnerable iOS devices.

To Apple’s credit, its security measures have kept the iPhone free of mass infections until now—a recent report from the antivirus firm F-Secure pegged Android as the host of 97 percent of mobile device malware, with the other 3 percent affecting Nokia’s dead-but-still-lingering Symbian operating system.

But the sort of attack that Georgia Tech’s researchers developed still could be used in more targeted attacks by the NSA or other highly resourced spies. One of Edward Snowden’s leaks earlier this year revealed a the NSA program DropoutJeep. The tool attacks iOS devices via something an NSA document refers to as “close access methods,” which may mean the same sort of USB connection attack Georgia Tech’s researchers describe.

With Android dominating smartphone market share and presenting a much softer target to hackers, the large-scale infections Georgia Tech’s researchers describe may not be worth a profit-motivated cybercriminal’s time. But the same techniques and vulnerabilities can also be used for more selective hacking. And if Apple wants to prevent those more finely-targeted attacks, it could do more–and act faster–to fix the bugs that enable them.

Here’s The Thing With Ad Blockers

We get it: Ads aren’t what you’re here for. But ads help us keep the lights on. So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.